Commit 22b3f583 authored by Nick Thomas's avatar Nick Thomas

Merge branch '233636-refactor-specs' into 'master'

Refactor PAT policy specs

See merge request gitlab-org/gitlab!39102
parents 8ae7daa4 90f28dac
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
class PersonalAccessTokenPolicy < BasePolicy class PersonalAccessTokenPolicy < BasePolicy
condition(:is_owner) { user && subject.user_id == user.id } condition(:is_owner) { user && subject.user_id == user.id }
rule { is_owner | admin & ~blocked }.policy do rule { (is_owner | admin) & ~blocked }.policy do
enable :read_token enable :read_token
enable :revoke_token enable :revoke_token
end end
......
...@@ -5,38 +5,59 @@ require 'spec_helper' ...@@ -5,38 +5,59 @@ require 'spec_helper'
RSpec.describe PersonalAccessTokenPolicy do RSpec.describe PersonalAccessTokenPolicy do
include AdminModeHelper include AdminModeHelper
using RSpec::Parameterized::TableSyntax subject { described_class.new(current_user, token) }
where(:user_type, :owned_by_same_user, :expected_permitted?) do context 'current_user is an administrator', :enable_admin_mode do
:user | true | true let_it_be(:current_user) { build(:admin) }
:user | false | false
:admin | false | true context 'not the owner of the token' do
let_it_be(:token) { build(:personal_access_token) }
it { is_expected.to be_allowed(:read_token) }
it { is_expected.to be_allowed(:revoke_token) }
end
context 'owner of the token' do
let_it_be(:token) { build(:personal_access_token, user: current_user) }
it { is_expected.to be_allowed(:read_token) }
it { is_expected.to be_allowed(:revoke_token) }
end
end end
with_them do context 'current_user is not an administrator' do
context 'determine if a token is readable or revocable by a user' do let_it_be(:current_user) { build(:user) }
let(:user) { build_stubbed(user_type) }
let(:token_owner) { owned_by_same_user ? user : build(:user) }
let(:token) { build(:personal_access_token, user: token_owner) }
subject { described_class.new(user, token) } context 'not the owner of the token' do
let_it_be(:token) { build(:personal_access_token) }
before do it { is_expected.to be_disallowed(:read_token) }
enable_admin_mode!(user) if user.admin? it { is_expected.to be_disallowed(:revoke_token) }
end end
context 'owner of the token' do
let_it_be(:token) { build(:personal_access_token, user: current_user) }
it { is_expected.to(expected_permitted? ? be_allowed(:read_token) : be_disallowed(:read_token)) } it { is_expected.to be_allowed(:read_token) }
it { is_expected.to(expected_permitted? ? be_allowed(:revoke_token) : be_disallowed(:revoke_token)) } it { is_expected.to be_allowed(:revoke_token) }
end end
end end
context 'current_user is a blocked administrator', :enable_admin_mode do context 'current_user is a blocked administrator', :enable_admin_mode do
subject { described_class.new(current_user, token) } let_it_be(:current_user) { build(:admin, :blocked) }
context 'owner of the token' do
let_it_be(:token) { build(:personal_access_token, user: current_user) }
let(:current_user) { create(:user, :admin, :blocked) } it { is_expected.to be_disallowed(:read_token) }
let(:token) { create(:personal_access_token) } it { is_expected.to be_disallowed(:revoke_token) }
end
context 'not the owner of the token' do
let_it_be(:token) { build(:personal_access_token) }
it { is_expected.to be_disallowed(:revoke_token) } it { is_expected.to be_disallowed(:read_token) }
it { is_expected.to be_disallowed(:read_token) } it { is_expected.to be_disallowed(:revoke_token) }
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment